在 Azure Active Directory B2C 中使用自定义策略配置会话行为Configure session behavior using custom policies in Azure Active Directory B2C

使用 Azure Active Directory B2C (Azure AD B2C) 中的单一登录 (SSO) 会话管理,管理员可在用户已通过身份验证之后控制与用户的交互。Single sign-on (SSO) session management in Azure Active Directory B2C (Azure AD B2C) enables an administrator to control interaction with a user after the user has already authenticated. 例如,管理员可以控制是否显示标识提供者选择,或是否需要再次输入帐户详细信息。For example, the administrator can control whether the selection of identity providers is displayed, or whether account details need to be entered again. 本文介绍如何配置 Azure AD B2C SSO 的设置。This article describes how to configure the SSO settings for Azure AD B2C.

会话行为属性Session behavior properties

可使用以下属性来管理 Web 应用程序会话:You can use the following properties to manage web application sessions:

  • Web 应用会话生存期(分钟) - 身份验证成功后,存储在用户浏览器上的 Azure AD B2C 会话 Cookie 的生存期。Web app session lifetime (minutes) - The lifetime of Azure AD B2C's session cookie stored on the user's browser upon successful authentication.
    • 默认值 = 86400 秒(1440 分钟)。Default = 86400 seconds (1440 minutes).
    • 最小值(含)= 900 秒(15 分钟)。Minimum (inclusive) = 900 seconds (15 minutes).
    • 最大值(含)= 86400 秒(1440 分钟)。Maximum (inclusive) = 86400 seconds (1440 minutes).
  • Web 应用会话超时 - 会话到期类型:“滚动”或“绝对” 。Web app session timeout - The session expiry type, Rolling , or Absolute.
  • 单一登录配置 - Azure AD B2C 租户中跨多个应用和用户流的单一登录 (SSO) 行为的 会话范围Single sign-on configuration - The session scope of the single sign-on (SSO) behavior across multiple apps and user flows in your Azure AD B2C tenant.

配置属性Configure the properties

若要更改会话行为和 SSO 配置,需要在 RelyingParty 元素内添加 UserJourneyBehaviors 元素。To change your session behavior and SSO configurations, you add a UserJourneyBehaviors element inside of the RelyingParty element. UserJourneyBehaviors 元素必须紧跟在 DefaultUserJourney 之后。The UserJourneyBehaviors element must immediately follow the DefaultUserJourney. UserJourneyBehavors 元素应当如以下示例所示:Your UserJourneyBehavors element should look like this example:

<UserJourneyBehaviors>
   <SingleSignOn Scope="Application" />
   <SessionExpiryType>Absolute</SessionExpiryType>
   <SessionExpiryInSeconds>86400</SessionExpiryInSeconds>
</UserJourneyBehaviors>

配置注销行为Configure sign-out behavior

保护注销重定向Secure your logout redirect

注销后,用户将重定向到 post_logout_redirect_uri 参数中指定的 URI,而不管为应用程序指定的回复 URL 为何。After logout, the user is redirected to the URI specified in the post_logout_redirect_uri parameter, regardless of the reply URLs that have been specified for the application. 但是,如果传递了有效的 id_token_hint 并启用了“要求在注销请求中提供 ID 令牌”,则在执行重定向之前,Azure AD B2C 将验证 post_logout_redirect_uri 的值是否与应用程序的某个已配置重定向 URI 相匹配。However, if a valid id_token_hint is passed and the Require ID Token in logout requests is turned on, Azure AD B2C verifies that the value of post_logout_redirect_uri matches one of the application's configured redirect URIs before performing the redirect. 如果没有为应用程序配置匹配的回复 URL,则会显示一条错误消息,而用户不会重定向。If no matching reply URL was configured for the application, an error message is displayed and the user is not redirected.

若要启用要求在注销请求中提供 ID 令牌,请在 RelyingParty 元素中添加 UserJourneyBehaviors 元素。To require an ID Token in logout requests, add a UserJourneyBehaviors element inside of the RelyingParty element. 然后,将 SingleSignOn 元素的 EnforceIdTokenHintOnLogout 设置为 trueThen set the EnforceIdTokenHintOnLogout of the SingleSignOn element to true. UserJourneyBehaviors 元素应当如以下示例所示:Your UserJourneyBehaviors element should look like this example:

<UserJourneyBehaviors>
  <SingleSignOn Scope="Tenant" EnforceIdTokenHintOnLogout="true"/>
</UserJourneyBehaviors>

配置应用程序注销 URL:To configure your application Logout URL:

  1. 登录到 Azure 门户Sign in to the Azure portal.
  2. 请确保使用包含 Azure AD B2C 租户的目录,方法是选择顶部菜单中的“目录 + 订阅”筛选器,然后选择包含 Azure AD B2C 租户的目录。Make sure you're using the directory that contains your Azure AD B2C tenant by selecting the Directory + subscription filter in the top menu and choosing the directory that contains your Azure AD B2C tenant.
  3. 选择 Azure 门户左上角的“所有服务”,然后搜索并选择“Azure AD B2C” 。Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
  4. 选择“应用注册”,然后选择自己的应用程序。Select App registrations , and then select your application.
  5. 选择“身份验证”。Select Authentication.
  6. 在“注销 URL”文本框中,键入注销后重定向 URI,然后选择“保存” 。In the Logout URL text box, type your post logout redirect URI, and then select Save.

单一登录Single sign-out

配置应用程序Configure the applications

将用户重定向到 Azure AD B2C 注销终结点(适用于 OAuth2 和 SAML 协议)时,Azure AD B2C 将从浏览器中清除该用户的会话。When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. 若要允许单一注销,请在 Azure 门户中设置应用程序的 LogoutUrlTo allow Single sign-out, set the LogoutUrl of the application from the Azure portal:

  1. 导航到 Azure 门户Navigate to the Azure portal.
  2. 通过单击页面右上角的帐户选择 Azure AD B2C 目录。Choose your Azure AD B2C directory by clicking your account in the top right corner of the page.
  3. 在左侧菜单中,依次选择“Azure AD B2C”、“应用注册”、你的应用程序。In the left menu, choose Azure AD B2C , select App registrations , and then select your application.
  4. 选择“身份验证”。Select Authentication.
  5. 在“注销 URL”文本框中,键入注销后重定向 URI,然后选择“保存” 。In the Logout URL text box, type your post logout redirect URI, and then select Save.

配置令牌颁发者Configure the token issuer

若要支持单一注销,JWT 和 SAML 的令牌颁发者技术配置文件必须指定以下内容:To support single sign-out, the token issuer technical profiles for both JWT and SAML must specify:

  • 协议名称,例如 <Protocol Name="OpenIdConnect" />The protocol name, such as <Protocol Name="OpenIdConnect" />
  • 对会话技术配置文件的引用,例如 UseTechnicalProfileForSessionManagement ReferenceId="SM-OAuth-issuer" />The reference to the session technical profile, such as UseTechnicalProfileForSessionManagement ReferenceId="SM-OAuth-issuer" />.

下面的示例演示了单一注销的 JWT 和 SAML 令牌颁发者:The following example illustrates the JWT and SAML token issuers with single sign-out:

<ClaimsProvider>
  <DisplayName>Local Account SignIn</DisplayName>
  <TechnicalProfiles>
    <!-- JWT Token Issuer -->
    <TechnicalProfile Id="JwtIssuer">
      <DisplayName>JWT token Issuer</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputTokenFormat>JWT</OutputTokenFormat>
      ...    
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-OAuth-issuer" />
    </TechnicalProfile>

    <!-- Session management technical profile for OIDC based tokens -->
    <TechnicalProfile Id="SM-OAuth-issuer">
      <DisplayName>Session Management Provider</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.OAuthSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    </TechnicalProfile>

    <!--SAML token issuer-->
    <TechnicalProfile Id="Saml2AssertionIssuer">
      <DisplayName>SAML token issuer</DisplayName>
      <Protocol Name="SAML2" />
      <OutputTokenFormat>SAML2</OutputTokenFormat>
      ...
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-issuer" />
    </TechnicalProfile>

    <!-- Session management technical profile for SAML based tokens -->
    <TechnicalProfile Id="SM-Saml-issuer">
      <DisplayName>Session Management Provider</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

后续步骤Next steps